InfoSec Handlers Diary Blog

Recently, I found a malicious Excel sheet which contained a VBA macro. One particularity of this file was that useful information was stored in cells. The VBA macro read and used them to download the malicious PE file. The Excel file looked classic, asking the user to enable macros:

The rest of the macro was, as usual, to download the malicious PE file, to store it on the disk and to execute it. The PE file has a VT score of 10/60 [1]

This is not the first time that I saw this way of passing data to the macro. It’s easy to configure campaigns with many URLs and samples without touching the macro. I had a bunch of 400 malicious Excel sheets to inspect. To search for such hidden content, I wrote a quick Python script[2] based on the XLRD[3] module. Yes, Python has third-party modules for almost any task! The goal is to detect two techniques to hide data:

Hidden cells

Cells using the same colour for the text & background (ex: white on white to make it unreadable)